1 | P a g e

European Commission

Directorate-General

Migration and Home Affairs

Study on the implementation of the

European Information Exchange Model

(EIXM) for strengthening law enforcement

cooperation

Final Report

26 January 2015

Deloitte

Berkenlaan 8C - 1831 Diegem - Belgium

2 | P a g e

Table of contents

Executive summary ........................................................................................................... 5

1 Introduction ............................................................................................................... 8

2 Scope and methodology of the study .......................................................................... 9

2.1 Scope of the study ......................................................................................................... 9

2.2 Our methodology ........................................................................................................ 10

3 Context .................................................................................................................... 11

3.1 EIXM – the rationale .................................................................................................... 11

3.2 EIXM – the legal and policy underpinning ..................................................................... 13

3.3 EIXM – the legal instruments ....................................................................................... 20

3.4 EIXM – the processes and practical aspects of information exchange ............................ 21

4 The implementation of the European Information Exchange Model (EIXM) ............... 26

4.1 Implementation of the legal instruments ..................................................................... 26

4.2 Processes and practical aspects of information exchange.............................................. 45

4.3 Horizontal challenges of EIXM ...................................................................................... 74

Annexes .......................................................................................................................... 93

Annex 1: Analytical Framework ............................................................................................... 93

Annex 2: Interview guides ....................................................................................................... 98

Annex 3: Glossary of terms .................................................................................................... 105

3 | P a g e

List of figures

Figure 1: Work plan of the study .......................................................................................................... 10

Figure 2: The different layers of a SPOC .............................................................................................. 46

List of tables

Table 1: Instruments of information management currently in place ............................................... 16

Table 2: Main channels for the cross-border exchange of law enforcement information ................ 22

Table 3: Evolution of Prüm implementation (2012-2014) ................................................................... 40

Table 4: Application of the SPOC Guidelines’ criteria in the Member States ..................................... 48

4 | P a g e

Acknowledgements

This assignment was conducted by a team, from Deloitte Belgium and

Deloitte Germany, headed by Richard Doherty with the support of

Benoît Vandresse, Éva Kamarás, Anna Siede, and external experts

Jan Segerberg, prof. Paul de Hert, and prof. Valsamis Mitsilegas.

The production of this report would not have been possible without the efforts of

the stakeholders interviewed or involved in the study’s expert panel and the

input from respondents to our web-based survey. The authors would like to

express their gratitude to all of them.

Finally, the study team would like to thank the Commission officials involved for

their providing information and feedback during the course of the assignment.

DISCLAIMER

By the European Commission, Directorate-General Migration and Home Affairs.

The information and views set out in this publication are those of the author(s)

and do not necessarily reflect the official opinion of the Commission. The

Commission does not guarantee the accuracy of the data included in this study.

Neither the Commission nor any person acting on the Commission’s behalf may be

held responsible for the use which may be made of the information contained

therein.

© European Union, 2015. All rights reserved. Certain parts are licensed under

conditions to the EU. Reproduction is authorised provided the source is

acknowledged.

5 | P a g e

Executive summary

Smooth and secure cross-border information exchanges between law enforcement authorities are essential in order to ensure a high level of security in the EU and tackle serious and organised crime, as well as other offences that require cross-border collaboration. In order to ensure timely access to accurate and up-to-date data for law enforcement authorities, a considerable number of EU instruments and systems have been put in place in recent years, which are also supplemented by international and bilateral arrangements.

The purpose of the study was to provide a follow up to the Commission’s 2012 Communication on the European Information Exchange Model (EIXM Communication), to survey and assess activities carried out in Member States in this context as well as point to possible ways of further improvement.

The conclusions of the EIXM Communication (in particular the fact that no new instruments are needed but rather that existing instruments need consolidating), are appreciated by the stakeholders consulted. However, the EIXM model focused on stocktaking and did not provide an overall vision in the area of information exchange. Hence there seems to be a need for more EU level overall governance and guidance in the area of police information exchange. It is noted that the increased competences of the Commission, as of December 2014, as stipulated by the Lisbon Treaty, present an important opportunity in this regard.

While the progress made in the past few years is very positive, progress with and a common understanding of the SPOC concept and the choice of channel are hindered by the lack of binding rules in these areas. Although there is funding and support at EU level, there seems to be a lack of prioritisation that in some cases hinders the implementation of EU instruments.

The delays in the implementation of Prüm and the difficulties with the application of the SFD create a situation in which progress is further slowed. These factors seem to be decreasing motivation in some Member States to put effort into the implementation and application of EU instruments, if they see that their counterparts are not doing the same.

At the same time, information exchange has increased, but the allocation of resources in Member States working in the area of information exchange has not followed this increase. Furthermore, differences in national legal and administrative systems are in general obstacles to achieving better information exchange.

As a fundamental issue, there is a lack of awareness among police corps on the availability and potential of information exchange, which also is related to the fact that existing training programmes do not fully meet relevant needs.

Furthermore, several points for improvement were identified in relation to the specific themes of the study.

There are two main legal instruments specifically designed to further information exchange: the Swedish Framework Decision and the Prüm Decision. Both have yet to be fully implemented by Member States. There has been progress in the implementation of the Swedish Framework Decision (SFD): most Member States have transposed it. However, it is still not being fully applied, hence it is failing to achieve its full potential. An important factor hampering the application of SFD is the fact that Single Point of Contact (SPOC) officers and field officers are only aware of it to a limited extent. Rather than it being understood that the SFD is a legal tool, the SFD is mostly associated with the forms to be used and these are generally considered too cumbersome. While the forms are hence very rarely

6 | P a g e

used, many consider the SFD not as a practical tool, but as a horizontal principle of information exchange. The time limits are considered useful and are complied with in most cases. However, the obligatory channelling of requests through SPOCs in some Member States is de facto detrimental to the principle of equivalent access, because the distance between the source and end-user of information is extended. On the other hand, refusals to provide information are rare.

Due to low prioritisation in several Member States, the implementation of the Prüm Decisions is still not as advanced as it should be. Procedures to follow up on Prüm hits are not clearly defined in the Member States. There is currently also an ambiguity among practitioners regarding whether SFD should be used for Prüm follow-up or not. Interpol seems to be the channel that is used most frequently for Prüm follow-up, but most officers use different channels depending on the specific case.

The vast majority of Member States have an international police cooperation structure that at least partly complies with the Single Point of Contact (SPOC) criteria set by the EIXM Communication and the subsequent SPOC Guidelines. However, application of the SPOC concept varies across Member States. Although the adoption of the Guidelines seems to have inspired reflection among Member States on how to adapt the organisation of their SPOC, this process remains voluntary and hence limited in scope.

The actual choice of channel through which an information exchange request is communicated currently depends on many factors, which are not consistent across and not even within Member States. Instructions on the choice of channel exist at EU level and in most Member States, but personal considerations, including preferences for a certain channel, also play a major role in the actual choice. The unstructured choice of channel causes complexity for the SPOC and generates risks for the quality of the data.

As concerns the actual use of the different channels, the Europol channel is by many wrongly seen to be confined to the Europol mandate. The Interpol channel is currently used in many cases when only EU Member States are concerned. The SIS II communication channel is in some Member States still used for exchanges under Article 39 of the Convention implementing the Schengen Agreement and under the SFD although legally no longer permissible.

Europol’s SIENA tool is currently used in most Member States, but not to the same extent. Only a very few Member States have started to promote it as the main channel for EU information exchange. Several hurdles still exist, notably the lack of 24/7 availability in the Member States, the fact that SIENA is in most Member States not yet connected to the case management system, as well as low awareness of and sceptical attitudes to SIENA.

There is seemingly a business need within the law enforcement area for extended sharing of information within the EU. One obstacle to such an extension are the rules for entering data in the Europol Information System (EIS), the limited user community and the fact that EIS data is normally not easily accessible on a larger scale in operational police work. This also leads to a vicious circle where the volumes of data in EIS are too small for Member States to invest in resources and solutions to increase their use of it.

For existing and future extensions of information exchange, the Universal Messaging Format (UMF, implemented in SIENA and which can be used for Prüm and SFD) is seen as essential, in particular for instruments where other standards do not yet exist. The implementation of UMF II is making rather slow progress, mainly due to budgetary issues but also due to the short time that has elapsed since the standard was launched. There is however a quite high interest among Member States to proceed with implementing it and also to follow the creation of UMF III, i.e. the next version of UMF, extending its functions.

7 | P a g e

There are currently a range of different actors at national and EU level providing numerous training courses on information exchange. Nevertheless, while individual activities have generally been appreciated by participants, there is currently no overarching strategy at EU and national level. At EU level, a Communication on a European Law Enforcement Training Scheme (including aspects on information exchange) has been adopted. However, most of its action points have not yet been pursued further, mainly due to a lack of resources and the relocation of CEPOL. Moreover, many Member States do not have a training strategy identifying needs and rather offer training on an ad hoc basis. Specific shortcomings have been identified in relation to initial training at police academies, on-boarding for SPOC officers and on-going training for SPOC and field officers.

Specific recommendations regarding the individual themes of the study are provided in the report under each subsection of Chapter 4.

8 | P a g e

1 Introduction

The Commission’s Directorate-General Home Affairs (DG HOME) mandated Deloitte, as a request for services under tender No HOME/2012/ISEC/PR/025-A3, to conduct a study on the implementation of the European Information Exchange Model (EIXM) for strengthening law enforcement cooperation.

The purpose of the study was to provide a follow up to the EIXM Communication1 and to survey and assess activities carried out in Member States in this context as well as point to possible ways of further improvement.

This report constitutes the Final Report of the study on EIXM and presents:

A description of the methodological approach (section 2);

The legal and policy context, the instruments and their key operational features (section 3);

An analysis of implementation of EIXM (section 4); as well as

The following Annexes:

- Annex 1: Analytical Framework;

- Annex 2: Interview Guides; and

- Annex 3: Glossary of terms.

1 Communication from the Commission to the European Parliament and the Council, Strengthening law enforcement cooperation in the EU: the European Information Exchange Model (EIXM); COM(2012) 735; http://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/police-cooperation/general/docs/20121207_com_2012_735_en.pdf.

http://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/police-cooperation/general/docs/20121207_com_2012_735_en.pdfhttp://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/police-cooperation/general/docs/20121207_com_2012_735_en.pdf

9 | P a g e

2 Scope and methodology of the study

2.1 Scope of the study

Our assessment of the implementation of the European Information Exchange Model (EIXM) landscape focused on the following aspects of EIXM2:

Chapter 3:

Context

The legal and policy frameworks:

The Treaty objectives; The policy instruments; and The relevant articles of the European Charter on Fundamental Rights.

The information exchange instruments:

The Swedish Framework Decision; and The Prüm Decisions.

The processes and practical aspects of information exchange

Chapter 4:

The implementation of the European Information Exchange Model (EIXM)

Implementation of the legal instruments:

The Swedish Framework Decision; and The Prüm Decisions.

Processes and practical aspects of information exchange:

The Single Points of Contact (SPOCs); The channels used for information exchange; The use of instruments to exchange data from national police records; and Technical developments beyond UMF II.

Horizontal challenges of EIXM

Training measures; and Further general considerations.

2 These were also covered in the Commission’s 2012 EIXM Communication.

10 | P a g e

2.2 Our methodology

We carried out the study in three phases:

1. The Structuring phase allowed our team to structure the study according to specific research questions to be answered according to the general and specific objectives stipulated in the Terms of Reference (ToR). This phase ended with the submission and validation of the Inception Report. This phase mainly served to develop the methodological tool that we use to structure all our assignments, namely the Analytical Framework. The Analytical Framework was hence used as the backbone of our project delivery.

2. The study’s Data gathering phase aimed to collect data to respond to the research questions developed in the Inception Report and was carried out through the research activities detailed in our project plan, including data collection at European and national levels (based on desk research, an EU-wide web-based survey, as well as fieldwork in a selection of 12 Member States and telephone interviews in the remaining 16 Member States).

3. The Analysis, judgement and reporting phase is horizontal in that relevant activities occur at different times during the project implementation. The study team analysed data both during and after completion of each research activity.

A final analysis and judgement took place at the last phase of this assignment to produce the Final Report including our conclusions and recommendations for future actions. This consisted of going back to the Analytical Framework to ensure that we have met each objective of the study and given an answer to every research question. This exercise was crucial to the analysis and ensured that conclusions and recommendations, based on a triangulation of the data gathered, were strictly evidence-based.

We present in the Figure 1 a synthesis of the work plan of our study.

Figure 1: Work plan of the study

11 | P a g e

3 Context

We present in this section the frameworks which provide the legal basis for information exchange, including the two specific legal instruments, the Swedish Framework Decision and the Prüm Decisions. This chapter is based on the results of our desk research and inputs received during strategic interviews carried out during the first phase of the project. The following chapter will deal with how the specific instruments have been transposed and are being implemented in practice, together with consideration of information exchange in day-to-day practice.

3.1 EIXM – the rationale

Smooth and secure cross-border information exchanges between law enforcement authorities are essential in order to ensure a high level of security in the EU and tackle serious and organised crime, as well as other offences that require cross-border collaboration. Furthermore, in order to combat crime efficiently, investigating services need to know without delay whether and what information is available in other Member States. In order to ensure timely access to accurate and up-to-date data for law enforcement authorities, a considerable number of EU instruments and systems have been put in place in recent years. International and bilateral arrangements have supplemented this EU action.

In the light of the rather complex and diverse landscape of instruments described later in this chapter, the Commission was invited by the Stockholm Programme3 to assess the need for a European Information Exchange Model (EIXM) following the general principles of the Council’s Information Management Strategy of 20094.

The work on EIXM involved, as a starting point, a mapping exercise and evaluation5, focusing on the following aspects of cross-border information exchange in the EU and the four EFTA countries6:

The legal dimension, including EU and national legislation regulating cross-border exchange of information and criminal intelligence;

The communication channels through which information and criminal intelligence are exchanged;

The actual flow of information and criminal intelligence between relevant key players; and The technical solutions (databases and IT solutions) used to exchange information and criminal

intelligence.

Based on the results of this work, which was presented in different reports, the 2012 ‘EIXM Communication’ on Strengthening law enforcement cooperation in the EU: the European Information

3 http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52010XG0504(01)&from=EN. 4 Council Conclusions on an Information Management Strategy for EU internal security 2979th Justice and Home Affairs Council meeting Brussels, 30 November 2009; http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/111549.pdf. 5 Strengths and weaknesses as regards cross-border sharing of law enforcement information were also emphasised in the European Information Exchange Model – Conclusions of the Information Mapping Exercise of 2010, which focused on the Swedish Framework Decision and the Prüm Decision. 6 C.f. http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/police-cooperation/eixm/index_en.htm.

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52010XG0504(01)&from=ENhttp://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/111549.pdfhttp://ec.europa.eu/dgs/home-affairs/what-we-do/policies/police-cooperation/eixm/index_en.htm

12 | P a g e

Exchange Model (EIXM)7 took stock of the state of play. It then provided recommendations for improvements. Its main conclusion was that existing instruments and channels for the exchange of law enforcement information should be improved rather than developing and putting in place new instruments and databases. The present study builds on this information and provides a further assessment of national activities. Based on this assessment, concrete recommendations to address weaknesses and improve the level of compliance with the EIXM recommendations8 or possible alternatives are provided.

In order to achieve the objectives of this study, it is imperative to have a good understanding of the current landscape of information exchange activities between law enforcement authorities and the key aspects that make up this “landscape”, taking account of the findings of the previous studies.

In line with the EIXM Communication, such aspects include the legal instruments, the communication channels and tools used for cross-border exchange of information, the key players involved and the information flows.

The instruments for information exchange are various types of concrete EU measure or system put in place to ensure smooth communication between law enforcement authorities across borders. The key instruments are:

The Swedish Framework Decision (SFD)9, which covers the exchange of information for the purpose of criminal investigations or criminal intelligence operations, with a particular focus on access to information;

The Prüm Decision10 , which provides for automated exchange of biometric data (DNA profiles and fingerprint data) and vehicle registration data for the prevention and investigation of criminal offences and maintaining public security11;

The Schengen Information System (SIS (II))12 which provides alerts on persons and objects; and The Council Decision establishing the European Police Office (Europol)13, which provides for

the collection, storage, processing, analysis, and exchange of information and intelligence as one of Europol’s principal tasks.

We introduce the policy framework and relevant practical aspects in this chapter, but before doing so, we describe the overarching frameworks in the Treaty and policy. The next Chapter discusses implementation of the instruments and the broader practice of information exchange.

7 COM (2012) 735 final (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0735:FIN:EN:PDF). 8 The recommendations are reiterated per topic at the start of every section in chapter 4. 9 Council Framework Decision 2006/960 JHA on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union. 10 Council Decision 2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime. 11 The following information is exchanged: Prevention of data – fingerprint (FP) and vehicle registration data (VRD); investigation of criminal offences – DNA, FP, VRD; and maintaining public security – VRD. 12 Cf. Council Decision No 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II). 13 Council Decision 2009/371/JHA establishing the European Police Office (Europol) (see: https://www.europol.europa.eu/sites/default/files/council_decision.pdf).

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0735:FIN:EN:PDFhttps://www.europol.europa.eu/sites/default/files/council_decision.pdf

13 | P a g e

3.2 EIXM – the legal and policy underpinning

The instruments described above fall within overarching objectives set by the Treaty and specific policy frameworks described below and have to be applied with respect for fundamental rights. This section discusses:

The relevant Treaty objectives that provide the legal basis for action in this field; The policy frameworks deriving from the Treat objectives; and Relevant Articles of the European Charter of Fundamental Rights.

The Treaty provisions

The effective elimination of internal borders in the EU and subsequently the ease of crime to spread have increased the need for a coordinated system of cooperation with regard to judicial, police, and related administrative matters. This is recognised by Article 87 of the Treaty on the Functioning of the European Union (TFEU), which established the legal basis for EU action in relation to information exchanges between law enforcement authorities: “The Union shall establish police cooperation involving all the Member States' competent authorities, including police, customs and other specialised law enforcement services in relation to the prevention, detection and investigation of criminal offences.” This includes the possibility of establishing measures in the following three areas, of which the first [87(2)(a)] is the most important for the purpose of this Study:

Collection, storage, processing, analysis and exchange of relevant information; Support for the training of staff, and cooperation on the exchange of staff, on equipment and

on research into crime-detection; and Common investigative techniques in relation to the detection of serious forms of organised

crime.

In view of the sometimes overlapping role of the police and the judiciary (since in some countries judicial authorities carry out tasks that are done by police in other countries as discussed below), other Treaty provisions e.g. on judicial cooperation also play a role in this field, as well objectives relating to the exchange of information in specific areas, such as asylum and migration or customs.

It is important to note that the Treaty framework relating to law enforcement cooperation has undergone substantial changes. By moving the former ‘Third Pillar’ (police and judicial cooperation) from the Treaty on European Union to the TFEU, the Treaty of Lisbon altered the modalities of law making and enhanced judicial review by the Court of Justice of the EU (CJEU) in the area of Justice and Home Affairs. It is expected that this will have positive effects on the standard of judicial review in this area. In this regard it needs to be noted, however, that the CJEU may not review the validity or proportionality of operations of national law enforcement authorities (Article 276 TFEU), as this is related to the core of the functions of the state of safeguarding security (cf. Articles 4 and 72). Consequently, national courts and the European Court of Human Rights will play an important role with regard to judicial review in the law enforcement sector as well. In addition, the Commission was granted new powers with respect to the enforcement of the rules covered by this policy area. In particular, as of December 2014 it is possible for the Commission to start infringement proceedings in case of non-compliance.

The Lisbon Treaty also made the Charter of Fundamental Rights of the European Union (the Charter)14 legally binding (Article 6 TEU), thus strengthening fundamental rights, including data protection. The

14 OJ C 326, 26.10.2012, p. 391. (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2012:326:0391:0407:EN:PDF).

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2012:326:0391:0407:EN:PDF

14 | P a g e

fundamental rights and data protection provisions that are relevant with regard to information exchange in the law enforcement sector are further discussed in section 3.2.3.

Policy frameworks for the exchange of law enforcement information

This sub-section describes the policy framework that has been established based on the Treaty

provisions, including actions and objectives set out in the so-called Hague15 and Stockholm

Programmes, the Council’s 2009 Information Management Strategy and the related Action Plans, as

well as Commission Communications and studies.

3.2.2.1 The Hague and Stockholm Programmes

In 2005, the Hague Programme introduced the principle of availability, according to which information for law enforcement purposes needed by authorities of one Member State are made available by the authorities of the Member State where the information is stored. The European Council stressed that the following conditions should be observed in the implementation of the principle of availability:

The exchange may only take place in order for legal tasks to be performed; The integrity of the data to be exchanged must be guaranteed; The need to protect sources of information and secure the confidentiality of the data at all

stages of the exchange, and subsequently; Common standards for access to the data and common technical standards must be applied; Supervision of respect for data protection, and appropriate control prior to and after the

exchange must be ensured; and Individuals must be protected from abuse of data and have the right to seek correction of

incorrect data.

While building on the objectives of its predecessors, the Stockholm Programme16 in 2010 shifted the focus from the prime objective of combating terrorism and organised crime to widespread cross-border crime that has a significant impact on the daily life of the citizens of the EU, e.g. also cybercrime. The Programme identified Europol as the main “hub” for information exchanges between the Member States’ law enforcement authorities. In this way, the Stockholm Programme not only called for a “business driven development, a strong data protection regime, interoperability of IT systems and a rationalisation of tools as well as overall coordination, convergence and coherence”17, but also for the examination of how to ensure that Europol receives information from Member States’ law enforcement authorities and how operational police cooperation can be stepped up, e.g. as regards incompatibility of communication systems and other equipment. Finally, the Stockholm Programme emphasised the need for the adoption of a decision on the modalities of cooperation, including on the exchange of information between EU agencies. Hence, the use and interoperability of various channels for the exchange of law enforcement information between Member States’ authorities and EU bodies in order to make crime prevention and the protection against serious and organised crime more effective is at the heart of the Stockholm Programme.

Like its predecessors, the Stockholm Programme was supported by the development of an Action Plan18 for the implementation of the objectives within a given timeframe. The Plan lays down the basis for the implementation of an Internal Security Strategy19, implying a coordinated approach to police

15 C.f. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2005:053:0001:0014:EN:PDF. 16C.f.http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:115:0001:0038:EN:PDF. 17 C.f. http://register.consilium.europa.eu/pdf/en/09/st16/st16637.en09.pdf. 18 C.f. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0171:FIN:EN:PDF. 19 The related EU Communication COM(2010) 673 sets out five strategic objectives: (1) Disrupt international criminal networks, (2) Prevent terrorism and address radicalisation and recruitment, (3) Raise levels of security for citizens and

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2005:053:0001:0014:EN:PDFhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:115:0001:0038:EN:PDFhttp://register.consilium.europa.eu/pdf/en/09/st16/st16637.en09.pdfhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0171:FIN:EN:PDF

15 | P a g e

cooperation border management, criminal justice cooperation and civil protection. In order to improve the exchange of information between relevant public bodies, the Action Plan requires an overview of existing data collection, processing and data-sharing systems, with a thorough assessment of their usefulness, efficiency, effectiveness, proportionality and their respect of the right to privacy in order to develop a consolidated and coherent mechanism for future information exchange. In relation to the need for improved exchange of information, the Action Plan, for example, laid the groundwork for the European Commission Communication on the overview on information collection and exchange20 and the Communication on the European Information Exchange Model21. Further action in this area is based on the Council’s Information Management Strategy followed by another Action Plan discussed in the next section.

3.2.2.2 The Council’s Information Management Strategy

In order to remedy the current situation of an "uncoordinated and incoherent palette of information systems and instruments", which has "incurred costs and delays detrimental to operational work"22, the incoming Swedish Presidency submitted a proposal to the Ad Hoc Working Group on Information Exchange for an Information Management Strategy in June 2009.23 The aim of the strategy was to define how information should be stored and exchanged, as well as how the process should be managed. Thus, the document provides guidance on how to ensure an appropriate information exchange where supply of information takes account both of business needs and the rights of the individual in order to assist law enforcement authorities in how to efficiently organise an effective cross-border exchange of information.

The strategy was updated in Council conclusions under the Italian Presidency at the end of 201424.

The strategy consists of the following focus areas:

Needs and requirements:

o Needs, requirements and added value are assessed as a precondition for development;

o Development follows agreed law enforcement workflows and criminal intelligence models;

o Development supports both data protection requirements and business operational needs;

Interoperability and cost efficiency:

o Interoperability and co-ordination are ensured both within business processes and technical solutions;

o Re-utilisation is the rule: do not re-invent the wheel;

Decision-making and development processes:

o Member States are involved from the very start of the process;

businesses in cyberspace, (4) Strengthen security through border management, and (5) Increase Europe’s resilience to crises and disasters. 20 C.f. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0385:FIN:EN:PDF. 21 C.f. http://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/police-cooperation/general/docs/ 20121207_com_2012_735_en.pdf. 22 See the report of the Future Group of Ministers of Home Affairs. 23 C.f. http://register.consilium.europa.eu/pdf/en/09/st16/st16637.en09.pdf. 24 C.f. http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2015701%202014%20REV%201.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0385:FIN:EN:PDFhttp://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/police-cooperation/general/docs/20121207_com_2012_735_en.pdfhttp://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/police-cooperation/general/docs/20121207_com_2012_735_en.pdfhttp://register.consilium.europa.eu/pdf/en/09/st16/st16637.en09.pdfhttp://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2015701%202014%20REV%201

16 | P a g e

o There is a clear responsibility for each part of the process, ensuring competence, quality and efficiency; and

Multidisciplinary approach: multidisciplinary coordination is ensured within the Justice and Home Affairs (JHA) area.

3.2.2.3 European Commission Communication on the Overview of Information Management

In 2010, the European Commission published a Communication concerning an overview of information management in the area of freedom, security and justice.25 The Communication provides a synthesis of EU-level measures regulating the management of personal information and proposes a set of principles for the development and assessment of such measures in order to make the approach to the exchange of information more coherent.

The Communication covered information exchange instruments that facilitate the exchange of personal data and were at that time (1) either currently in force, under implementation or consideration, or (2) set out in the Stockholm Programme Action Plan. The table below includes the instruments that were covered in the Communication. It was adapted so as to represent the changes since 2010. Instruments that are highlighted as part of the specific objectives in the Terms of Reference for this study are marked in bold.

Table 1: Instruments of information management currently in place26

Objective Instruments

Instruments either currently in force, under implementation or consideration

Aiming to enhance the

operation of the Schengen

area and the customs union:

Second Generation Schengen Information System (SIS II);

EURODAC;

Visa Information System (VIS);

Advanced Passenger Information System (API);

Naples II Convention;

Customs Information System; and

Customs file identification database (FIDE).

Aiming to prevent and

combat terrorism and other

forms of serious cross-

border crime

Swedish Framework Decision;

Prüm Decision;

European Criminal Records Information System (ECRIS);

Financial Intelligence Units (FIUs);

Asset Recovery Offices (AROs);

Cybercrime Alert Platforms;

European Police Office (Europol); and

European Union’s Judicial Cooperation Unit (Eurojust).

Aiming to prevent and

combat terrorism and other

forms of serious

transnational crime

Passenger Name Record (PNR); and

Terrorist Finance Tracking Program (TFTP).

25 COM(2010)385, see: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0385:FIN:EN:PDF 26 This table is based on the Overview Communication but has been adapted by the authors of this study.

17 | P a g e

Objective Instruments

Instruments set out in the Stockholm Programme Action Plan

Legislative proposals to be

presented by the

Commission

Passenger Name Record package;

Entry/Exit System (EES); and

Registered Travellers Programme (RTP).

Initiatives to be studied by

the Commission

EU terrorist finance tracking system;

Electronic System of Travel Authorisation (ESTA); and

European Police Records Index System (EPRIS).

A central finding of analysis of the above instruments in the Communication is that the exchange of law enforcement information in the EU is characterised by:27

A decentralised structure; Limited or unitary purposes of various instruments; Potential overlaps of their function; Differentiated control and access rights according to the logic of different law enforcement

communities; Variable data retention and security rules, as well as identity management principles; and Divergent review mechanisms. Hence, the conclusion of a divergent landscape with regard to

information collection and exchange instruments is at the heart of the Communication.

3.2.2.4 Schengen evaluation and governance

Council Regulation 1053/201328 covers the establishment of an evaluation and monitoring mechanism to verify the application of the Schengen acquis. This Schengen Evaluation Mechanism (SEM) will provide an opportunity to verify the application of the Schengen acquis in the field of law enforcement cooperation, including the way information is exchanged and how communication takes place.

Apart from the core of the Schengen acquis (Schengen Convention, Schengen Information System) the SEM will also look into the practical use of the SFD, Prüm, Europol tools and the concepts of EIXM (e.g. SPOCs). As an example of this function of the SEM, the standard questionnaire for Member States, drawn up in July 2014, contains questions related to police cooperation and information exchange. The SEM could therefore also partly be an instrument for verifying the implementation of the EIXM recommendations.

27 The detailed findings of this Communication will further inform the analysis of the information exchange mechanisms and channels relevant in the context of the EIXM. 28 Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013R1053&from=EN.

http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013R1053&from=ENhttp://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013R1053&from=EN

18 | P a g e

Relevant provisions in the Charter of Fundamental Rights and data protection legislation

As indicated above, the Lisbon Treaty rendered the European Charter of Fundamental Rights binding by means of Article 16 of the TFEU.29 According to Article 51, the Charter is applicable to institutions, agencies and other bodies of the Union, as well as to Member States when they are implementing EU law. The Charter includes a number of Articles that are relevant to law enforcement cooperation and the fight against cross-border crime. The most pertinent Articles are:

Right to liberty and security (Article 6); Respect for family and private life (Article 7); and Protection of personal data (Article 8).

While Article 6 ensures the security of persons within the European Union and thus can be seen as a plea for (cooperative) law enforcement mechanisms in itself, Articles 7 and 8 set the boundaries for public authorities’ competences by stipulating everyone’s right to respect for his or her private and family life, home and communications, and the right to the protection of personal data. Hence the European Charter of Fundamental Rights can be seen both as an enabler and limiter of cross-border law enforcement cooperation and the related information exchange mechanisms.

Article 8 of the EU Charter states that personal data must be processed fairly for specified purposes, and that must either be on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules is subject to control by an independent authority.

In addition, the Charter includes a number of citizens’ rights (Title V) and judicial rights (Title VI). Article 41 is particularly relevant as it which lays down the right to good administration. On the basis of Article 41, everyone has the right to have his or her affairs handled impartially, fairly and within a reasonable time by the institutions, bodies, offices and agencies of the Union handle his or her affairs impartially, fairly and within a reasonable time. This includes e.g. the right to be heard. Judicial rights include for example the right to an effective remedy, as stipulated in Article 47.

Article 52 lays down rules on the scope and interpretation of the provisions contained in the Charter. Accordingly, the rights should be interpreted in the light of the corresponding Treaty provisions (where applicable), taking into account the explanations attached to the Charter as well as relevant case-law of the European Court of Human Rights. Article 52(1) provides for general rules to restrict the rights guaranteed by the Charter. Limitations can be made to protect a “general interest recognised by the Union or […] the rights and freedoms of others.” Any limitation must be necessary and proportionate, and prescribed by law, maintaining the essence of the right concerned.

While the data protection provisions in the EU Charter and the TFEU apply to all EU policy areas, it is recognised under EU law that the specific nature of the field of law enforcement cooperation may call for tailored data protection rules.30

As regards the general data protection framework, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data31 is the central instrument in the EU. It specifies general data protection principles that had previously been agreed

29 OJ C 326, 26.10.2012, p. 391. (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2012:326:0391:0407:EN:PDF) 30 Declaration (No. 21) on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation, OJ. C 83, 30.3.2010, p. 344. 31 http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2012:326:0391:0407:EN:PDFhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML

19 | P a g e

upon in a Council of Europe Convention.32 The Directive also required Member States to set up specialised and independent authorities to ensure that the data protection rules are observed (Article 28). Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies33 complements the Directive and established the European Data Protection Supervisor (EDPS) to fulfil the role of an EU independent supervisory authority. A proposal to amend the Directive was put forward by the European Commission in 201234.

To ensure that the specific needs of the law enforcement sector were taken account of, Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters35 was adopted. It contains rules on data processing, data transmission, rights of the data subject and safeguards ensuring data quality, security, and protection. The implementation of this document is still ongoing. By 9 November 2011, 14 Member States had indicated that they had legislation in force to implement the Framework Decision, and two had indicated that they had no need to transpose the Decision.36

The Framework Decision has been subject to criticism as regard its effectiveness. The Commission has in particular pointed out that its limited scope is the source of problems, in particular because the Decision only applies to cross-border data processing activities37. Domestic data processing activities are thus assessed on the basis of national data protection provisions, although it is often difficult to distinguish between the two categories. Moreover, the Decision does not apply to instruments enacted at EU level that already have a tailor-made data protection approach in place. This creates a wide landscape of different rules. As part of the review of the data protection framework, the Commission proposed a Directive on 28 January 2012 to enhance the data protection rules in this area.38

In addition to the general data protection framework applicable in the framework of police and judicial cooperation, there are rules that are applicable to specific instruments, which are enshrined in the relevant legal bases.39 In the EIXM Communication, the Commission underlined that in cases that involve sequential use of more than one instrument, care needs to be taken to ensure that the rules on data protection of each instrument are to be respected.40

In its opinion on the EIXM Communication, the EDPS underlined the importance of taking data protection into account when further developing EIXM. As technology changes, the interoperability between different databases may pose challenges to data protection. In this regard, the EDPS pointed to the importance of the data protection principle of purpose limitation, which states that data may only be used for the purpose of its original collection.41

32 Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data (http://www.conventions.coe.int/Treaty/en/Treaties/Html/108.htm ). 33 C.f. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32001R0045:EN:HTML. 34 C.f. http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm. 35 C.f. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32008F0977:EN:NOT. 36 COM(2012) 12 final (http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0012:FIN:EN:PDF). 37 COM(2010) 609 final (http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf ), pp. 13, 14. 38 COM (2012) 10 final. 39 See e.g. Chapter 6 of the Prüm Decision as well as the Europol Council Decision. 40 EIXM Communication, p. 6. 41 Opinion of the European Data Protection Supervisor on the EIXM Communication (https://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2013/13-04-29_EIXM_EN.pdf).

http://www.conventions.coe.int/Treaty/en/Treaties/Html/108.htmhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32001R0045:EN:HTMLhttp://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htmhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32008F0977:EN:NOThttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2012:0012:FIN:EN:PDFhttp://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdfhttps://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2013/13-04-29_EIXM_EN.pdfhttps://secure.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2013/13-04-29_EIXM_EN.pdf

20 | P a g e

3.3 EIXM – the legal instruments

This section is an introduction to the formal aspects and main features of the legal instruments which are the focus of this study:

The Swedish Framework Decision; and The Prüm Decisions.

The Swedish Framework Decision

In the light of the terrorist attacks in Madrid and London, in 2004 and 2005, Sweden proposed an initiative to simplify the exchange of information and intelligence between law enforcement authorities.42 The so-called Swedish Framework Decision (SFD)43, adopted in 2006, sets out common rules on procedures according to which information may be exchanged between Member States’ law enforcement authorities.

The essence of the Decision is that Member States must ensure that the conditions applied to providing and requesting information and intelligence to or from competent law enforcement authorities from other countries are not stricter than those applicable at national level (Article 3). This is referred to as the principle of equivalent access, which is considered as a major step forward in cross-border law information exchange44. By establishing relevant conditions for the provision of information and intelligence, the Swedish Framework Decision partly implements the principle of availability established in The Hague Programme45. Notably, Article 4 stipulates time limits for providing information.46 If the time limits cannot be kept to, the Member State receiving the request is required to provide reasons for not being able to comply. In addition, the Decision seeks to promote information exchange with Europol and Eurojust for crimes that fall within their mandates.47

While Member States are obliged to share relevant information with other Member States, there are certain limits are enshrined48 in the Decision. In particular, the Decision does not include an obligation for Member States’ law enforcement authorities to collect information in order to be able to answer queries from other national or EU bodies. Moreover, information may be used as evidence as part of a judicial procedure49 only if the source Member State has given its consent (Article 1). In addition, the SFD provides grounds to refuse information, for example on the grounds of national security interests (Article 10).

42 C.f. http://www.consilium.europa.eu/uedocs/cmsUpload/DECL-25.3.pdf. 43 Framework Decision 2006/960 JHA on simplifying the exchange of information and intelligence between law enforcement authorities of the Member States of the European Union, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:386:0089:0100:EN:PDF. 44 C.f. http://www.eumonitor.nl/9353000/1/j4nvgs5kjg27kof_j9vvik7m1c3gyxp/vj6iponbr3yj/f=/14755_1_12_rev_1.pdf. 45 C.f. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2005:053:0001:0014:EN:PDF. 46 Accordingly, urgent requests shall be responded to in eight hours, Non-urgent cases shall be responded to within one week. In all other cases, information shall be provided within 14 days. 47 Cf. Article 6(2) SFD. 48 In practice, these forms are rarely used and their added-value has been questioned by a number of stakeholders. This is discussed in section 4.1.1.2 Operational compliance with the Swedish Framework Decision’s legal requirements. 49 It is noted that the recent adoption of the European Investigation Order (Directive 2014/41/EU of the European Parliament and of the Council of 3 April 2014 regarding the European Investigation Order in criminal matters) will influence the judicial aspects of law enforcement information exchange, as further explained in this section.

http://www.consilium.europa.eu/uedocs/cmsUpload/DECL-25.3.pdfhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:386:0089:0100:EN:PDFhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:386:0089:0100:EN:PDFhttp://www.eumonitor.nl/9353000/1/j4nvgs5kjg27kof_j9vvik7m1c3gyxp/vj6iponbr3yj/f=/14755_1_12_rev_1.pdfhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2005:053:0001:0014:EN:PDF

21 | P a g e

Finally, the SFD incorporates forms which may be used by law enforcement authorities for the exchange of information. Annex A of the SFD contains a form to be used for transmitting requested information and Annex B contains a form to request information.

The Prüm Decisions

The cooperation that started as a multilateral treaty between Austria, Belgium, France, Germany,

Luxembourg, the Netherlands and in 2005, i.e. the Prüm Convention50, was shifted to EU level with

Council’s Decision 2008/615/JHA51 and the related provisions for its implementation 2008/616/JHA52

(the two ‘Prüm Decisions’). The Prüm Decisions set out provisions regarding:

Automated search of data;

Supply of data in relation to major events;

Supply of information in order to prevent terrorist offences; and

Other measures for stepping up cross-border police cooperation.

They include the obligation to establish databases related to automated DNA analysis files, automated

dactyloscopic (i.e. fingerprint) identification systems53, and vehicle registration data54, as well as

procedures and modalities for Member States’ access to each other’s databases in the context of cross-

border law enforcement.

3.4 EIXM – the processes and practical aspects of information exchange

In this section we discuss the key operational features and players in implementation of EIXM.

The 2012 EIXM Communication discussed the three main EU and international communication channels used for cross-border information exchange. The communication channels used involve different types of national unit and/or authority in each Member State. The national units may be, but are not restricted to, Single Points of Contacts (SPOC).55 In addition, there are other channels within the EU, such as bilateral Liaison Officers (who are distinct from Europol liaison officers), specific sectorial channels, and Police and Customs Cooperation Centres (PCCCs) in border regions.

The channels are designed for different purposes and use different communication tools:

The Europol channel offers exchange via the National Units and the Europol liaison officers. SIENA56 is the corresponding communication tool. Exchanges via the Europol channel do not

50 Convention on the stepping up of cross-border cooperation, particularly in combating terrorism, cross-border crime and illegal migration, c.f. http://register.consilium.europa.eu/pdf/en/05/st10/st10900.en05.pdf. 51 C.f. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:210:0001:0011:EN:PDF. 52 C.f. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:210:0012:0072:EN:PDF. 53 This has enabled law enforcement authorities within the Member States, for example, to compare DNA profiles and fingerprints found at crime scenes with (anonymised) database entries in databases of all Member States. In a second step, specific related personal data can be requested from the Member State administering the file in order to match the crime evidence with the database information. The procedure is run through a designated national contact point in each Member State, i.e. an intermediate institutions that national officials have to contact in order to proceed with data comparisons. 54 Car registration data (including licence plates and chassis numbers) are exchanged through national platforms that are linked to the online application EUCARIS. 55 The term SPOC is used in this study to refer to international police cooperation units in the Member States, without implying that these fulfil all the criteria set at EU level. Further information about the concept can be found in section 4.2.1 The Single Points of Contact (SPOCs). 56 Secure Information Exchange Network Application.

http://register.consilium.europa.eu/pdf/en/05/st10/st10900.en05.pdfhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:210:0001:0011:EN:PDFhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2008:210:0012:0072:EN:PDF

22 | P a g e

need to be related to Europol’s mandate, but could also be related to other crimes of bi- or multilateral concern.

The Interpol channel is generally mainly meant for exchanges involving third countries. Information is exchanged via the Interpol National Bureaux, using the communication tool I-24/7.

The SIRENE Bureaux57 are responsible for exchanging information related to or supplementary to SIS data. SIRENE Bureaux use the SIS II communication network as communication tool.

The PCCCs are the central contact points for border regions. They mainly deal with regional cases with a cross-border element. Cases the PCCC deals with revolve, for example, around serious and sometimes organised crime, burglary or stolen vehicles.

The following table provides a brief comparison of the three main channels and additional bilateral channels in terms of the tools used, the legal basis and whether the choice of channel is compulsory under EU law or not.

Table 2: Main channels for the cross-border exchange of law enforcement information

Office/Unit responsible

Tool/network used

Legal basis Choice of channel

Europol National Units

SIENA (developed within Europol but not specifically mentioned in the legal basis)

Council Decision 2009/371/JHA of 6 April 2009 establishing the European Police Office

Compulsory

Interpol National Central Bureaux

I-24/7 n/a Not compulsory in most situations58

SIRENE Bureaux SIS II network 1. Council Regulation 1987/2006 of the EP and COUNCIL of 20/12/2006 on the establishment, operation and use of the second generation SIS (SIS II);

2. Council Decision 2007/533/JHA of 12 June 2007 on establishment, operation and use of the second generation SIS (SIS II); and

3. Commission Decision adopting SIRENE Manual, 26 February 2013.59

Compulsory

Bilateral Liaison Officers

Diverse Bilateral agreements Depends

National contact points, e.g. Police and

Diverse Based on the legal provisions for the other channels and tools in order to implement national contact points

Depends

57 Supplementary Information Request at the National Entry. SIRENE Bureaux are national coordination offices in the participating countries that provide supplementary information on alerts and coordinate measures in relation to alerts in the Schengen Information System (SIS). (http://www.consilium.europa.eu/policies/justice-et-affaires-interieures-%28jai%29/schengen). 58 There is an obligation for EU Member States to exchange passport data with Interpol in certain situations, as set out in Council Common Position 2005/69/JHA of 24 January 2005 on exchanging certain data with Interpol (http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32005E0069). 59 C.f. http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:071:0001:0036:EN:PDF.

http://www.consilium.europa.eu/policies/justice-et-affaires-interieures-%28jai%29/schengenhttp://www.consilium.europa.eu/policies/justice-et-affaires-interieures-%28jai%29/schengenhttp://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32005E0069http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32005E0069http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2013:071:0001:0036:EN:PDF

23 | P a g e

Office/Unit responsible

Tool/network used

Legal basis Choice of channel

Customs Cooperation Centres60

Clearly, there is great diversity in terms of the measures (instruments, channels and tools) that have been put in place, with each of them designed for a specific purpose. An investigation may thus involve parallel or sequential use of more than one instrument or channel. The choice of information channel is only partly regulated by EU legislation. Specific rules apply to operating the channels and tools related to Interpol.

Two of the main legal bases for information exchange, the SFD and the Prüm Decisions (discussed in the previous section), do not include a definition of the choice of channel. On the other hand, supplementary information following hits with alerts in the SIS must be followed up by the SIRENE office via the dedicated SIS II channel.

As far as the key players are concerned, the EIXM Communication refers to law enforcement cooperation without strictly defining the scope. No common EU definition of “law enforcement authorities” exists, and the players involved in investigations in different Member States may vary. According to the Study on the status of information exchange amongst law enforcement authorities in the context of existing EU instruments61 law enforcement authorities “typically include police units and competent authorities such as Gendarmerie, Customs and Excise authorities, Border Guards and Coast Guards, but individual agency responsibilities and organisational procedures often vary between MS.” The involvement of the judicial authorities, including prosecutors, at various stages of the criminal justice process varies between the Member States. This has implications for the need to apply Mutual Legal Assistance (MLA) procedures, which impacts on information exchange.

From a technical perspective, the effective and efficient exchange of law enforcement information depends on the availability and interoperability of up-to-date IT infrastructure. Issues such as, for example, fast, stable, and secure network connections as well as IT access management and software upgrades are as important as the interoperability of technical and administrative standards within the Member States, e.g. with regard to the implementation of the Universal Messaging Format II (UMF II) standard.

There is seemingly a business need for extended sharing of information within the EU, namely to exchange information from national police records. To this end, the Commission examined whether the introduction of a European Police Records Index System would be desirable. In the EIXM Communication, it is highlighted that the identified business needs could partly or fully be solved by existing instruments that are currently not used to their full potential. Thus, the introduction of a new system was not considered necessary.

Specialised information exchange training for law enforcement staff is currently provided through Europol and the European Police College (CEPOL). SIRENE training programmes are also carried out on a regular basis in cooperation between the Commission, CEPOL, the European Agency for the

60 Established on the basis of the Convention implementing the Schengen Agreement of 14 June 1985 between the Governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders. 61 C.f. http://ec.europa.eu/dgs/home-affairs/doc_centre/police/docs/icmpd_study_lea_infoex.pdf (p. 16).

http://ec.europa.eu/dgs/home-affairs/doc_centre/police/docs/icmpd_study_lea_infoex.pdf

24 | P a g e

operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) and Member States. The training relates to the practical and technical aspects of information exchange. In addition, exchanges of staff are offered at the EU level.

The EIXM Communication highlights that respect for fundamental rights, including the right to data protection and privacy, is a horizontal issue to be taken into consideration in the context of law enforcement information exchange. This includes, for example, to the collection, storage and sharing of personal data. It is therefore relevant to consider the provisions in primary legislation and general data protection instruments, as well as specific rules on data protection that apply to the individual instruments of information exchange.62

The EIXM Communication concludes – based on the numerous studies on the functioning of the existing activities – that cross-border information exchanges generally work well. However, while the EIXM Communication concludes that no new EU level law enforcement database or instruments are currently needed, it pointed to some necessary improvements, making the following recommendations: (1) improve the use of existing instruments, (2) streamline and improve the management of the channels, (3) ensure better data quality, security, and protection, (4) improve training and awareness for and among law enforcement officials, and (5) increase the use of available funding opportunities.63 More specifically, the gaps it identified related in particular to:

The Member States have not fully implemented the Swedish Framework Decision (e.g. with regard to the principle of equivalent access64) and the Prüm Decision;

The law enforcement authorities have different approaches to the choice of channel and therefore different channels are used to different extents;

Not all law enforcement authorities have developed national instructions for the choice of channel;

Single Points of Contact (SPOCs) in the form of central coordination units have not yet been set up by all Member States;

Technical interoperability under UMF II is not yet fully assured; Appropriate and in-depth training and participation in mutual exchange programmes is not

always assured for law enforcement officials, in particular specialist officers; Increased use of funding opportunities under the 2014-2020 EU Internal Security Fund is

imperative; and Prüm statistics need to be improved.65

Through its detailed recommendations, the Commission’s Communication provides a “Model for guiding EU and Member State activity”66. The Commission is to provide adequate support, including funding and guidance for training measures.

62 See section 3.2.3 Relevant provisions in the Charter of Fundamental Rights and data protection legislation. 63 In order to ensure effective information exchange, Member States can make use of EU funding under the Prevention of and Fight against Crime Fund that was replaced by an EU Internal Security Fund as of 2014. Funding is available in particular in relation to the development and implementation of the UMF II standard and the implementation of Prüm. 64 See section 2.3.1. 65 As part of the technical operating system within which Member States law enforcement authorities and EU bodies can exchange relevant information, a specific secretariat, i.e. an organisation or Member State explicitly appointed for this task, can gather logged information on messages sent/received by all the participating Member States in order to produce statistical reports. 66 See the EIXM Communication ( http://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/police-cooperation/general/docs/20121207_com_2012_735_en.pdf ), p. 2.

http://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/police-cooperation/general/docs/20121207_com_2012_735_en.pdfhttp://ec.europa.eu/dgs/home-affairs/e-library/documents/policies/police-cooperation/general/docs/20121207_com_2012_735_en.pdf

25 | P a g e

The EIXM underlines that the principles that were set out in the 2010 “Overview Communication”67 applied to developing new initiatives and evaluating current instruments:

Substantive principles: safeguarding fundamental rights, including data protection and privacy; necessity; subsidiarity; and accurate risk management.

Process-oriented principles: cost-effectiveness; bottom-up policy design; clear allocation of responsibilities; and review and sunset clauses.

These principles have also been taken into account as part of the present study.

67 Overview of information management in the area of freedom, security and justice; http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0385:FIN:EN:PDF.

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0385:FIN:EN:PDFhttp://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0385:FIN:EN:PDF

26 | P a g e

4 The implementation of the European Information Exchange Model (EIXM)

In this Chapter we first look at the implementation of the legal instruments:

Implementation and operational compliance with the Swedish Framework Decision; and Implementation and operational compliance with the Prüm Decisions.

We then look at information exchange in practice, including the relationship with other instruments where applicable. We cover the following areas:

The Single Points of Contact (SPOCs); The channels used for information exchange; The use of instruments to exchange data from national police records; and Technical developments beyond UMF II.

Finally, we present horizontal challenges of EIXM, including:

Training measures; and Further general considerations.

The information in this chapter is the result of the data collection activities described in section 2.2, including in particular an EU-wide web-based survey, as well as fieldwork in a selection of 12 Member States and telephone interviews in the remaining 16 Member States.

Each section closes by summarising the main findings and presenting our recommendations for each topic.

4.1 Implementation of the legal instruments

Implementation and operational compliance with the Swedish Framework Decision

As outlined in section 3.3.1, the Swedish Framework Decision is the central legal basis for information exchange in the EU. In the EIXM Communication, the Commission found that the SFD had not yet reached its full potential and made several points for improvement. It invited Member States to:

Implement fully the Swedish Initiative, including its principle of equivalent access.

In addition, the Commission indicated that it would:

By December 2014, prepare for applying in this area the rules for ensuring national implementation of EU law.

The following sub-sections outline the developments in this area since the adoption of the EIXM Communication and the remaining gaps in order to shed light on the impact of the transposition and application of the SFD in daily practice. This will be done under the following sub-headings:

Transposition of the Swedish Framework Decision; Operational compliance with the Swedish Framework Decision’s legal requirements; Refusals to provide information on the basis of the Swedish Framework Decision; and Awareness of the Swedish Framework Decision and its perceived impacts.

27 | P a g e

4.1.1.1 Transposition of the Swedish Framework Decision

Two official reports have examined the implementation status and compliance with the SFD. In 2011, the application of the SFD was assessed by the Commission.68 At that time, 16 Member States had transposed the Decision or informed the Commission that their national legislation was already in line with it.

The following year, the Danish Presidency issued a survey to Member States in order to further assess the extent to which national legislation complies with the Framework Decision’s provisions. The relevant Council Report69 indicates that by that time 22 Member States, as well as Liechtenstein, Norway, and Switzerland had transposed the provisions or had notified the Council that their national legislation was already in line with it70. The five exceptions were Belgium71, Greece, Ireland, Italy and Luxembourg.

Based on the findings of this study, there has been some progress with regard to the transposition of the Decision since these reports. Greece adopted a presidential decree transposing the SFD in 201372 and Ireland has indicated that its national legislation is already in conformity with the SFD73. Belgium adopted implementing legislation on 25 May 2014. There are thus three Member States that are still to adopt implementing legislation, including Croatia that joined the EU in 2013. Interviewees from two of these Member States reported concrete plans for implementation. In Italy the matter is before Parliament. The police in Croatia were planning to start with implementation of the SFD in November 2014. The interviewees from Luxembourg had no plans for implementation to report.

The way the SFD has been transposed into national law in some Member States was criticised by a few policy makers and SPOC officers during the interviews. As a horizontal point relating to the transposition of the SFD in national law, some interviewees from these two groups noted that Member States have included the provisions of the SFD in several different national laws. This was regretted by these interviewees, who indicated that it would be clearer if the SFD could be found in one piece of national legislation or if an additional summarising decree (or similar) were adopted. We note, however, that this situation is not objectionable per se, as it is up to the Member States how to transpose EU legislation.

In addition, some interviewees noted that, in their opinion, not all aspects of the SFD are visible in the national laws, in particular relating to the principle of equivalent access and the time limits.

68 Commission Staff Working Paper on the operation of the Swedish Framework Decision, SEC(2011) 593 (available at: http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2010316%202011%20INIT ). 69 Council Framework Decision 2006/960/JHA – Assessment of compliance pursuant to Article 11(2), Council Report, Council doc 14755/1/12 REV 1 (available at: http://www.eumonitor.eu/9353000/1/j9vvik7m1c3gyxp/vj6iponbr3yj ). 70 Austria, Ireland, Malta, UK. 71 Although the provisions were not yet fully transposed, Belgium reported to the Council that the Belgian police authorities already fully complied with the Swedish Framework Decision. 72 Presidential decree 135/13. 73 EIXM Communication, p. 8.

http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2010316%202011%20INIThttp://www.eumonitor.eu/9353000/1/j9vvik7m1c3gyxp/vj6iponbr3yj

28 | P a g e

4.1.1.2 Operational compliance with the Swedish Framework Decision’s legal requirements

Based on the research activities conducted for this study, the SFD is not yet applied as fully as it might be, as the previous reports have indicated.74 In terms of the use of and compliance with individual provisions, this sub-section discusses:

Use of the SFD forms; Compliance with time limits; Application of the principle of equivalent access; The extent to which information is shared with Europol; and The implications when judicial procedures are involved.

a) Use of the SFD forms

The forms provided in the annex of the SFD are rarely used because they are not considered helpful. This has already been raised by previous studies75 and seems still to be the case based on the findings of this study. Indeed, most of our interviewees stated that they consider the forms to be time-consuming and labour-intensive without producing added value, since they are too detailed and difficult to use. Therefore, in most cases, requests are not sent using the SFD forms.76 What is more, requests often do not refer to the SFD at all.

Interviewees from a few Member States noted that they use the form provided by SIENA for sending SFD requests. While there are not many Member States using the SFD forms integrated in SIENA, those who do so reported that this works rather well. SIENA provides support for easier filling in of the form, provides a certain validation of the content and a more automated way of dealing with the requests.

Based on a comparison of recent statistics provided by Europol to earlier statistics from the 2011 Commission’s report on application of the SFD, there has been an increase in the use of SIENA for this purpose in recent years: a total of 653 SFD initiative requests were sent via SIENA in 2013, while 998 SFD initiative requests were received via SIENA. This can be compared to the figures provided in the 2011 Commission’s report on application of the SFD, where it was indicated that the SFD form provided in SIENA has been used 56 times in 2009 and 51 times in 2010.77 These numbers do not represent the total numbers of SFD requests, but only the requests sent via SIENA.

74 These previous reports include: Commission Staff Working Paper on the operation of the Swedish Framework Decision, SEC(2011) 593; Council Framework Decision 2006/960/JHA – Assessment of compliance pursuant to Article 11(2), Council Report, Council doc 14755/1/12 REV 1; the EIXM Communication; Council conclusions following the Commission Communication on the EIXM, Justice and Home Affairs Council meeting in Luxembourg, 6 and 7 June 2013 (http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/137402.pdf ). The Council conclusions highlight in particular that there is room for improvement as concerns the implementation of the principle of equivalent access and the time limits. 75 For example, the 2012 Council report stated that ten Member States indicated that they do not use the form at all. Others state that they prefer the form provided by SIENA. Some Member States did indicate that they use the forms for urgent requests or that they use form B, which they understand to be legally binding. We note that the SFD does not state that form B is legally binding. There are, however, situations in which the use of form A is legally binding (see for instance Article 4.4). The Commission’s report on the application of the SFD similarly highlights that “only five Member States use the form annexed to the Framework Decision in order to request information.” 76 One interviewee pointed to a recent Dutch survey that came to the conclusion that the SFD limits rather than facilitates information exchange, mainly due to the cumbersome forms. 77 Commission Staff Working Paper on the operation of the Swedish Framework Decision, SEC(2011) 593 (available at: http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2010316%202011%20INIT ).

http://www.consilium.europa.eu/uedocs/cms_data/docs/pressdata/en/jha/137402.pdfhttp://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2010316%202011%20INIT

29 | P a g e

b) Compliance with time limits

The SFD’s time limits are generally considered a positive feature. The time limits are kept to in most cases, but some Member States appear to be persistent laggards.

The Commission’s report on application of the SFD states that the time limits seemed to be complied with in most cases.78 This was also the general perception of the interviewees for this study. However, it was also reported during the fieldwork conducted for this study that there are sometimes cases where responses are delayed, sometimes by several months. Most interviewees who mentioned delays stressed that they do not happen often and in most cases occur with specific Member States. Indeed, it is the perception of our interviewees that some Member States are typically slower than others,79 and there seems to have been no change in this regard in the past years. SPOC officers consulted regretted that response times are sometimes difficult to predict, as they generally seem to depend not only on the type of request, but also on the Member State. Where delays are typically associated with one Member State, this situation can lead to further delays, because some officers base their efforts on reciprocity. SPOCs are more inclined to provide quick responses to Member States that are usually also quick to reply and follow-up.

Apart from the propensity of certain Member States to be the source of delays, an important difficulty Member States struggle with is the limited number of SPOC staff. There has been an increase in message exchanges, but not an increase in resources in most Member States, as highlighted by our interviewees.80 Staff shortages are one of the main reasons for delays.

Staff may also be under workload pressure from messages that are not strictly necessary. Some of the law enforcement managers interviewed felt that there is room to decrease the number of messages to increase efficiency, i.e. by aiming to restrict international correspondence to messages that are strictly necessary. Follow-up questions, e.g. asking when a response to a request can be expected, are generally not necessary but cause additional work for SPOC staff. In addition, our research showed that “fishing” is sometimes used in SIENA, i.e. sending a request for a cross-border check with a copy to all Member States. Such requests must be answered, which creates a need for resources that is not proportionate to the added value of the request.

Based on the input from a few interviewees, it is not clear whether the time limits are correctly reflected in all Member States’ national laws or guidelines, which could be another reason for delays. For example, an interviewee from one Member State explained that the content of the SFD is reflected in three different national laws, but that the time limits are not explicitly mentioned. In another Member State a SPOC officer indicated that they have guidelines on response times, which are different from the SFD guidelines: non-urgent requests are to be responded to within one month, normal requests within ten days and urgent requests within 24 hours.81 Based on the SFD-mandated

78 The Commission received note from 26% of Member States that urgent requests have always been complied with. The majority of Member States, 62%, reported that the time limits for urgent requests are often complied with by their EU partners. There were also some Member States that “see compliance as a rare occurrence” (3%) or urgent requests can never be complied with (9%). Commission Staff Working Paper on the operation of the Swedish Framework Decision, SEC(2011) 593 (available at: http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2010316%202011%20INIT ), p. 9. 79 This was also highlighted by Study on the Status of Information Exchange Amongst Law Enforcement Authorities in the Context of Existing EU Instruments, ICMPD (2010), (http://ec.europa.eu/dgs/home-affairs/doc_centre/police/docs/icmpd_study_lea_infoex.pdf ) p. 104. 80 This was also noted in Council Document DS 1800/13, “Answers to questionnaire on action 2 of IMS action list”, which indicates that “all Member States note an increase, with an average of 10% to 20% per year, of the incoming requests during the past ten years”. 81 Commission Staff Working Paper on the operation of the Swedish Framework Decision, p. 9: “All Member States have informed that they have legislative-based or practical procedures in place so that they can respond within at most eight hours to urgent requests for information and intelligence, in accordance with Article 4(1) of the Framework Decision.”

http://register.consilium.europa.eu/doc/srv?l=EN&f=ST%2010316%202011%20INIThttp://ec.europa.eu/dgs/home-affairs/doc_centre/police/docs/icmpd_study_lea_infoex.pdfhttp://ec.europa.eu/dgs/home-affairs/doc_centre/police/docs/icmpd_study_lea_infoex.pdf

30 | P a g e

time limits, urgent requests shall be responded to in eight hours, non-urgent cases shall be responded to within one week, and all other requests shall be responded to within 14 days. These issues were, however, only reported by individual interviewees. Irrespective of the time limits, most interviewees stated that they usually try to reply as quickly as possible.82

Technical differences can also lead to delays, as several interviewees highlighted. Achieving interoperability is still a challenge: our research showed that message content sometimes needs to be transferred manually from one programme to another because the channels used for international information exchange and internal messaging systems are not connected. In addition, an interviewee from the IT department of a law enforcement authority explained that there can be difficulties in cross-matching names, because diacritical marks are converted in different ways (e.g. a German “ü” could be written as “u” or “ue”).

Another fa